Am I part of a botnet?

I just took a look at my connections on my router and I'm wondering if I'm part of a botnet or I got some malware/virus on the computer?

Here are the log files, I'm using DSL (centurylink) + a Asus router.

Code:

Apr 20 19:49:06 kernel: ACCEPT  <4>ACCEPT IN=ppp0 OUT=br0 <1>SRC=50.137.168.66 DST=192.168.1.144 <1>LEN=134 TOS=0x00 PREC=0x00 TTL=117 ID=10546 PROTO=UDP <1>SPT=42387 DPT=48353 LEN=114 
Apr 20 19:51:33 kernel: ACCEPT  <4>ACCEPT IN=ppp0 OUT=br0 <1>SRC=58.170.246.230 DST=192.168.1.183 <1>LEN=52 TOS=0x00 PREC=0x40 TTL=112 ID=43249 DF PROTO=TCP <1>SPT=49361 DPT=43825 SEQ=2405954664 ACK=0 WINDOW=65535 RES=0x00 SYN URGP=0 OPT (020405AC0103030101010402) 
Apr 20 19:51:33 kernel: ACCEPT  <4>ACCEPT IN=ppp0 OUT=br0 <1>SRC=58.170.246.230 DST=192.168.1.183 <1>LEN=48 TOS=0x00 PREC=0x40 TTL=112 ID=43253 PROTO=UDP <1>SPT=21681 DPT=43825 LEN=28 
Apr 20 19:51:34 kernel: ACCEPT  <4>ACCEPT IN=ppp0 OUT=br0 <1>SRC=58.170.246.230 DST=192.168.1.183 <1>LEN=52 TOS=0x00 PREC=0x40 TTL=112 ID=43286 DF PROTO=TCP <1>SPT=49361 DPT=43825 SEQ=2405954664 ACK=0 WINDOW=65535 RES=0x00 SYN URGP=0 OPT (020405AC0103030101010402) 
Apr 20 19:51:35 kernel: ACCEPT  <4>ACCEPT IN=ppp0 OUT=br0 <1>SRC=58.170.246.230 DST=192.168.1.183 <1>LEN=52 TOS=0x00 PREC=0x40 TTL=112 ID=43321 DF PROTO=TCP <1>SPT=49361 DPT=43825 SEQ=2405954664 ACK=0 WINDOW=65535 RES=0x00 SYN URGP=0 OPT (020405AC0103030101010402) 
Apr 20 19:52:31 kernel: ACCEPT  <4>ACCEPT IN=ppp0 OUT=br0 <1>SRC=32.132.18.121 DST=192.168.1.144 <1>LEN=46 TOS=0x00 PREC=0x00 TTL=48 ID=0 DF PROTO=UDP <1>SPT=42408 DPT=48353 LEN=26 
Apr 20 19:53:56 kernel: ACCEPT  <4>ACCEPT IN=ppp0 OUT=br0 <1>SRC=24.254.234.57 DST=192.168.1.144 <1>LEN=46 TOS=0x00 PREC=0x00 TTL=115 ID=27708 PROTO=UDP <1>SPT=29542 DPT=48353 LEN=26 
Apr 20 19:54:05 kernel: ACCEPT  <4>ACCEPT IN=ppp0 OUT=br0 <1>SRC=41.70.207.241 DST=192.168.1.144 <1>LEN=46 TOS=0x00 PREC=0x00 TTL=47 ID=0 DF PROTO=UDP <1>SPT=48528 DPT=48353 LEN=26 
Apr 20 19:54:17 kernel: ACCEPT  <4>ACCEPT IN=ppp0 OUT=br0 <1>SRC=59.124.71.230 DST=192.168.1.144 <1>LEN=46 TOS=0x00 PREC=0x00 TTL=112 ID=23974 PROTO=UDP <1>SPT=21441 DPT=48353 LEN=26 
Apr 20 19:54:30 kernel: ACCEPT  <4>ACCEPT IN=ppp0 OUT=br0 <1>SRC=41.70.200.194 DST=192.168.1.144 <1>LEN=46 TOS=0x00 PREC=0x00 TTL=47 ID=0 DF PROTO=UDP <1>SPT=48528 DPT=48353 LEN=26 
Apr 20 19:55:05 kernel: ACCEPT  <4>ACCEPT IN=ppp0 OUT=br0 <1>SRC=71.21.2.174 DST=192.168.1.144 <1>LEN=133 TOS=0x00 PREC=0x00 TTL=51 ID=25276 PROTO=UDP <1>SPT=34531 DPT=48353 LEN=113 
Apr 20 19:55:05 kernel: ACCEPT  <4>ACCEPT IN=ppp0 OUT=br0 <1>SRC=71.193.212.166 DST=192.168.1.144 <1>LEN=141 TOS=0x00 PREC=0x00 TTL=53 ID=16121 PROTO=UDP <1>SPT=48281 DPT=48353 LEN=121 
Apr 20 19:55:05 kernel: ACCEPT  <4>ACCEPT IN=ppp0 OUT=br0 <1>SRC=50.137.168.66 DST=192.168.1.144 <1>LEN=133 TOS=0x00 PREC=0x00 TTL=117 ID=31458 PROTO=UDP <1>SPT=42387 DPT=48353 LEN=113 
Apr 20 19:55:05 kernel: ACCEPT  <4>ACCEPT IN=ppp0 OUT=br0 <1>SRC=76.30.146.209 DST=192.168.1.144 <1>LEN=134 TOS=0x00 PREC=0x00 TTL=117 ID=3363 PROTO=UDP <1>SPT=58702 DPT=48353 LEN=114 
Apr 20 19:55:07 kernel: ACCEPT  <4>ACCEPT IN=ppp0 OUT=br0 <1>SRC=71.21.2.174 DST=192.168.1.144 <1>LEN=133 TOS=0x00 PREC=0x00 TTL=51 ID=49617 PROTO=UDP <1>SPT=34531 DPT=48353 LEN=113 
Apr 20 19:55:07 kernel: ACCEPT  <4>ACCEPT IN=ppp0 OUT=br0 <1>SRC=71.193.212.166 DST=192.168.1.144 <1>LEN=141 TOS=0x00 PREC=0x00 TTL=53 ID=58301 PROTO=UDP <1>SPT=48281 DPT=48353 LEN=121 
Apr 20 19:55:07 kernel: ACCEPT  <4>ACCEPT IN=ppp0 OUT=br0 <1>SRC=50.137.168.66 DST=192.168.1.144 <1>LEN=133 TOS=0x00 PREC=0x00 TTL=117 ID=33377 PROTO=UDP <1>SPT=42387 DPT=48353 LEN=113 
Apr 20 19:55:07 kernel: ACCEPT  <4>ACCEPT IN=ppp0 OUT=br0 <1>SRC=76.30.146.209 DST=192.168.1.144 <1>LEN=134 TOS=0x00 PREC=0x00 TTL=117 ID=3364 DF PROTO=UDP <1>SPT=58702 DPT=48353 LEN=114 
Apr 20 19:55:11 kernel: ACCEPT  <4>ACCEPT IN=ppp0 OUT=br0 <1>SRC=71.193.212.166 DST=192.168.1.144 <1>LEN=141 TOS=0x00 PREC=0x00 TTL=53 ID=4825 PROTO=UDP <1>SPT=48281 DPT=48353 LEN=121 
Apr 20 19:55:11 kernel: ACCEPT  <4>ACCEPT IN=ppp0 OUT=br0 <1>SRC=71.21.2.174 DST=192.168.1.144 <1>LEN=133 TOS=0x00 PREC=0x00 TTL=51 ID=12014 PROTO=UDP <1>SPT=34531 DPT=48353 LEN=113 
Apr 20 19:55:11 kernel: ACCEPT  <4>ACCEPT IN=ppp0 OUT=br0 <1>SRC=50.137.168.66 DST=192.168.1.144 <1>LEN=133 TOS=0x00 PREC=0x00 TTL=117 ID=41120 PROTO=UDP <1>SPT=42387 DPT=48353 LEN=113 
Apr 20 19:55:11 kernel: ACCEPT  <4>ACCEPT IN=ppp0 OUT=br0 <1>SRC=76.30.146.209 DST=192.168.1.144 <1>LEN=134 TOS=0x00 PREC=0x00 TTL=117 ID=3370 DF PROTO=UDP <1>SPT=58702 DPT=48353 LEN=114 
Apr 20 19:55:45 kernel: ACCEPT  <4>ACCEPT IN=ppp0 OUT=br0 <1>SRC=71.193.212.166 DST=192.168.1.144 <1>LEN=141 TOS=0x00 PREC=0x00 TTL=53 ID=32442 PROTO=UDP <1>SPT=48281 DPT=48353 LEN=121 
Apr 20 19:55:45 kernel: ACCEPT  <4>ACCEPT IN=ppp0 OUT=br0 <1>SRC=76.30.146.209 DST=192.168.1.144 <1>LEN=134 TOS=0x00 PREC=0x00 TTL=117 ID=3434 DF PROTO=UDP <1>SPT=58702 DPT=48353 LEN=114 
Apr 20 19:55:46 kernel: ACCEPT  <4>ACCEPT IN=ppp0 OUT=br0 <1>SRC=71.21.2.174 DST=192.168.1.144 <1>LEN=133 TOS=0x00 PREC=0x00 TTL=51 ID=10529 PROTO=UDP <1>SPT=34531 DPT=48353 LEN=113 
Apr 20 19:55:47 kernel: ACCEPT  <4>ACCEPT IN=ppp0 OUT=br0 <1>SRC=71.193.212.166 DST=192.168.1.144 <1>LEN=141 TOS=0x00 PREC=0x00 TTL=53 ID=41882 PROTO=UDP <1>SPT=48281 DPT=48353 LEN=121 
Apr 20 19:55:47 kernel: ACCEPT  <4>ACCEPT IN=ppp0 OUT=br0 <1>SRC=76.30.146.209 DST=192.168.1.144 <1>LEN=134 TOS=0x00 PREC=0x00 TTL=117 ID=3437 DF PROTO=UDP <1>SPT=58702 DPT=48353 LEN=114 
Apr 20 19:55:48 kernel: ACCEPT  <4>ACCEPT IN=ppp0 OUT=br0 <1>SRC=71.21.2.174 DST=192.168.1.144 <1>LEN=133 TOS=0x00 PREC=0x00 TTL=51 ID=17173 PROTO=UDP <1>SPT=34531 DPT=48353 LEN=113 
Apr 20 19:55:48 kernel: ACCEPT  <4>ACCEPT IN=ppp0 OUT=br0 <1>SRC=50.137.168.66 DST=192.168.1.144 <1>LEN=133 TOS=0x00 PREC=0x00 TTL=117 ID=41351 PROTO=UDP <1>SPT=42387 DPT=48353 LEN=113 
Apr 20 19:55:50 kernel: ACCEPT  <4>ACCEPT IN=ppp0 OUT=br0 <1>SRC=50.137.168.66 DST=192.168.1.144 <1>LEN=133 TOS=0x00 PREC=0x00 TTL=117 ID=41359 PROTO=UDP <1>SPT=42387 DPT=48353 LEN=113 
Apr 20 19:55:51 kernel: ACCEPT  <4>ACCEPT IN=ppp0 OUT=br0 <1>SRC=71.193.212.166 DST=192.168.1.144 <1>LEN=141 TOS=0x00 PREC=0x00 TTL=53 ID=4069 PROTO=UDP <1>SPT=48281 DPT=48353 LEN=121 
Apr 20 19:55:51 kernel: ACCEPT  <4>ACCEPT IN=ppp0 OUT=br0 <1>SRC=76.30.146.209 DST=192.168.1.144 <1>LEN=134 TOS=0x00 PREC=0x00 TTL=117 ID=3442 DF PROTO=UDP <1>SPT=58702 DPT=48353 LEN=114 
Apr 20 19:55:52 kernel: ACCEPT  <4>ACCEPT IN=ppp0 OUT=br0 <1>SRC=71.21.2.174 DST=192.168.1.144 <1>LEN=133 TOS=0x00 PREC=0x00 TTL=51 ID=5405 PROTO=UDP <1>SPT=34531 DPT=48353 LEN=113 
Apr 20 19:55:54 kernel: ACCEPT  <4>ACCEPT IN=ppp0 OUT=br0 <1>SRC=50.137.168.66 DST=192.168.1.144 <1>LEN=133 TOS=0x00 PREC=0x00 TTL=117 ID=41376 PROTO=UDP <1>SPT=42387 DPT=48353 LEN=113

 

are you or other pc in your network using torrent or other kind of p2p?

 

Not that I know of.. nothing should be peering. BTW it's happening to my iPad too looks like attempts to connect to it and the firewall is accepting it.

 

How one knows if one is a part of botnet?

Best regards,

 

Here's a link: hxxp://www.welivesecurity.com/2010/04/21/top-10-signs-your-computer-may-be-part-of-a-botnet/

 

Apr 20 19:49:06 kernel: ACCEPT <4>ACCEPT IN=ppp0 OUT=br0 <1>SRC=50.137.168.66 DST=192.168.1.144 <1>LEN=134 TOS=0x00 PREC=0x00 TTL=117 ID=10546 PROTO=UDP <1>SPT=42387 DPT=48353 LEN=114

A packet was ACCEPTed comINg from ppp0 (the WAN side = wide area network = meaning the internet) with SouRCe is 50.137.168.66 (the website sending) and DeSTination is 192.168..1.144 (a PC/telephone/laptop/tablet behind the router on your LAN is Local Area Network) with total LENgth of 134 bytes and Type Of Service is 0x00, PRECidence = 0x00 and Time To Live is 117 milliseconds, IGentification of the datagram is 10546, PROTOcol is UDP, Source PorT is 42387, Destination PorT is 48353, data LENgth is 114 bytes.

Go to for instance http://cqcounter.com/whois/ enter the source IP adres (here 50.137.168.66) to get an idea who is sending this data.

192.168.1.183 problably your phone ?
192.168.1.144 probably your PC? COMCAST Cable is problably your ISP/cable provider

 

Botnet's are used for DDos attacks, same what happens when everybody tries to call his family and friends at new year. A botnet is a crowd mob on the internet to try overload the servers of the one who receives all this traffic (everybody is calling to the same person).

The botnet commander tells (the inbound message) you to spawn a lot of traffic to a target IP address (the outbound destination and target of the attack).

So you would get very little inward traffic (the botnet commander), and much outward traffic to specific, repeated to same within a time frame destinations (the botnet target of attack).

This does not look like a botnet log, but maybe a firewall expert might drop in to explain, like Stem or Seer.

 

Were you browsing at the time of those log events? Assuming you were, I agree that the log shows normal inbound traffic to your PC.

 

yes and a too chatty router log.

 

You need to identify what firewall product you are using.

For transparency I use OP FW Pro 8.0 at the moment. There are many other products. But that is NOT part of this thread.


Remove all the rules and run your SW FW in learning mode for say a week then go into the rules and remove any incoming that you don't need.

IMHO you have not got your rules set up properly to filter incoming packets.

Incoming should be BLOCKED unless there is some reason to allow.

Here is a good chunk of your source domains from your log (not to chatty but indicates issues with your security IMHO)

Do you need incoming from Angola?

Here is the translation from you log:

Code:

1 50.137.168.66 USA - New Jersey Comcast Cable Communications Holdings, Inc 50.137.128.0 50.137.191.255 Comcast Cable Communications Holdings, Inc 1800 Bishops Gate Blvd, Mt Laurel CNIPEO-Ip-registration@cable.comcast.com abuse@comcast.net +1-856-317-7272   c-50-137-168-66.hsd1.or.comcast.net 
2 58.170.246.230 India Broadcast addresses  255.255.255.255 Telstra Internet Address Registry Telstra Internet, Locked Bag 5744, Canberra, ACT 2601 addressing@telstra.net abuse@telstra.net +61 3 9815 5923  CPE-58-170-246-230.lnse4.win.bigpond.net.au 
3 32.132.18.121 USA - Florida AT&T Global Network Services, LLC 32.0.0.0 32.255.255.255 AT&T Global Network Services, LLC 3200 Lake Emma Road, Lake Mary help@ip.att.net abuse@att.net +1-919-319-8130   mobile-032-132-018-121.mycingular.net 
4 24.254.234.57 USA - Georgia Cox Communications 24.254.192.0 24.254.255.255 Cox Communications Inc. 1400 Lake Hearn Dr., Atlanta abuse@cox.net abuse@cox.net +1-404-269-7626   ip24-254-234-57.hr.hr.cox.net 
5 41.70.207.241 Angola IP Address pool assigned to GPRS and HSDPA customers. 41.70.192.0 41.70.255.255 Pepino Prazer Movicel Telecomunicacoes SA, Av. Talatona, Ed. Kuando Kubango, Condominio Business Park, Talatona, Luanda Sul, Luanda - Angola, Luanda, Angola pepino.prazer@movicel.co.ao  +244 222692301   
6 59.124.71.230 India Broadcast addresses  255.255.255.255 HINET Network-Adm CHTD, Chunghwa Telecom Co., Ltd., No. 21, Sec. 21, Hsin-Yi Rd.,, Taipei Taiwan 100 network-adm@hinet.net  +886 2 2344 3007  59-124-71-230.HINET-IP.hinet.net 
7 41.70.200.194 Angola IP Address pool assigned to GPRS and HSDPA customers. 41.70.192.0 41.70.255.255 Pepino Prazer Movicel Telecomunicacoes SA, Av. Talatona, Ed. Kuando Kubango, Condominio Business Park, Talatona, Luanda Sul, Luanda - Angola, Luanda, Angola pepino.prazer@movicel.co.ao  +244 222692301   
8 71.193.212.166 USA - New Jersey Comcast Cable Communications, IP Services 71.193.128.0 71.193.255.255 Comcast Cable Communications, Inc. 1800 Bishops Gate Blvd., Mt Laurel CNIPEO-Ip-registration@cable.comcast.com abuse@comcast.net +1-856-317-7272   c-71-193-212-166.hsd1.or.comcast.net 
9 76.30.146.209 USA - New Jersey Comcast Cable Communications, Inc. 76.30.0.0 76.31.255.255 Comcast Cable Communications, Inc. 1800 Bishops Gate Blvd, Mt Laurel CNIPEO-Ip-registration@cable.comcast.com abuse@comcast.net +1-856-317-7272   c-76-30-146-209.hsd1.tx.comcast.net

 

Thanks for the reply guys. It was a third party Roku channel that was causing the issue. The UPnP was allowing the ports to be forwarded to my local computers but the firewalls on the local computers dropped the packets.

All is well now, thanks!

 

Droped packets? Your log showed all accepting incoming?

What log was it?

 

The log I posted was the router logs, but I enabled my windows firewall logs and it shows the connections being dropped. Very weird, I'm going to watching the network more closely from now on.

 

Okay fine please post some of your windows firewall logs to confirm. ie The blocking of the incoming. Ensure you own ip is masked prior.